Add IOCs to TIP Sources
In addition to intelligence feeds, IOCs can be imported from the following external sources:
- Document sources - You can add documents in PDF, CSV, or TXT format. Threat Command scrapes the document and uploads all included IOCs to your company's TIP environment.
A document could be something that you compiled to gather IOCs, or it could be a document received by someone in the organization in which IOCs were found. IOCs are extracted, analyzed, and aggregated on the platform. - Email sources - You can send or forward emails to a designated Rapid7 email address. Threat Command scrapes the email and uploads all IOCs included in the body of the message to your company’s TIP environment.
An email could be something that you compiled to gather IOCs, or it could be something received by someone in the organization. IOCs are extracted, analyzed, and aggregated on the platform.
- Threat Command API -IOCs can also be uploaded with the Threat Command API. For more information, see the API documentation.
Add IOCs from a document
You can add IOCs (URLs, domains, IP addresses, and file hashes) from an existing document. When you upload a document, it will be assigned a unique ID. You can use this ID to query the API.
To add IOCs from a document:
- From the TIP > Sources page, click the Documents**** tab.
- Click Add Document.
- Select a document to upload and click Open.
TIP processes the document and presents a list of IOCs found in the document. - Select the IOCs to be added.
- (Optional) Set a confidence level and severity, and add a description for the uploaded IOCs.
- Click Upload.
Add IOCs from email
You can add IOCs (URLs, domains, IP addresses, email addresses, and file hashes) by email. Threat Command will parse the IOCs in the email content and upload them to your environment as email sources.
You can define ways to send emailed IOCs into different groups. For example:
- One group in which the IOCs will be blocked in a device and another group whose IOCs will be monitored in a device.
- One group for URLs and another group for IP addresses. You may have different automations for these different IOC types.
You can also limit the ability to send email IOCs from certain email addresses.
After the IOCs are parsed and processed, you can see which IOCs were processed in the Emails tab.
The email must be smaller than 1 MB. For larger content, you can upload IOCs in multiple email messages.
First, you must configure the email IOC settings, then you can send emails to a unique email address for your account.
To configure sending IOCs in an email:
- From the Tip > Sources page, select the Emails tab.
- Click Add Email.
- In the Add Emaildialog, configure an email source group:
- Type a user-defined name.
- (Optional) Add a description for all added IOCs.
- (Optional) Select a severity and confidence level for all added IOCs.
- In the Contains this word in the subject line field, type a string to identify these email IOCs.
This string tells Threat Command how to group received email messages. For example, if you type whitelist, all emails that are sent with the word whitelist in the subject will be part of this email source group. - (Optional) To limit the sending of emailed IOCs to certain senders, select Allowed email senders list, then type their addresses in the Senders field (optional).
- Click Save.
- Repeat the above process for each email source group.
After the first email group is created, the unique email address to where you should send the emails is displayed on the Emails tab and the new group is displayed:
To email IOCs to a group:
- Copy IOCs into the body of an email message.
You can also forward a message that contains IOCs in it, but we strongly recommend that you follow the best practices. - In the subject of the email message, type the word that designates this email group, as configured in the previous task (Contains this word in the subject line ).
- Send the email message to the address that is displayed in the Emails tab.
If the email subject matches a subject that was previously configured, the IOCs will be parsed and added to that group.
This process can take several minutes.
Best practices for uploading email IOCS
For best results, encode IOCs according to these suggestions:
To include URLs, domains, and email addresses, encode them as follows:
For this original text | Encode (change) it as ONE of these options |
---|---|
. | [.], (.) , [dot], (dot) , [punkt], or (punkt) |
@ | [@], (@) , [at], (at) , [et], or (et) |
: | [:] or (:) |
www | [www] or (www) |
http | hxxp or xxxx or h[xx]p |
https | hxxps or xxxxx |
For example, https://google.com/ should be encoded as https://google[.]com/ or hxxps://google.com/
IP addresses and email addresses do not need to be encoded.
To view IOCs in an email group: